So the above API is supported on Windows 8 store apps, Windows 8 desktop apps, Windows phone 8 apps and can be used via three languages (C#, VB, C++) and it will build on three architectures (X86, x64 and ARM....

Re: "We fix things once we know they're broken"

Cool :)

ooo thanks El Reg....I just tried it (seems my £9 per month Windows Phone Zune Subscription account got automigrated over to XBox) and I can download music and stream to the Win 8 PC via the music app. So that means music in the living room via the Xbox, music on WP phone, music on the Zune, music on home PC and on my slate. Already downloaded 4 GB music....

Re: windows store apple store linux store

Re: Where's the XNA?

I suspect they only lost one developer and that was you, all the other developers ported their XNA WP7 apps in 20 mins using http://monogame.codeplex.com/ and have it sat waiting for certification in the Win8 App store and are down the pub while you're whining on here :) Keep up old boy.

Move along... nothin’ to see here....

MS said the bug was exploitable, said it was difficult to exploit and updated IIS two months prior to the conference where this mitigation research was discussed.

Mitigations are used to slow down attackers in their development of exploits, to try and make those exploits unreliable, and to raise the bar of the skill required to create such exploits (e.g. Chris Valasek is a Senior Research Scientist). The mitigations in this case served that purpose. Mitigations don’t take away the need to update the binaries and IIS was still fixed. Mitigations for all platforms are constantly updated to reflect research from White/Grey/Black Hats. Mitigation bypasses generally do not work broadly.

Server DoS's are typically patched by MS anyway, so whether or not it was exploitable is irrelevant, detailing whether it is exploitable or not is to allow the system admin to make a decision in how to prioritise the downloading/testing and rolling out the patch.

The revised blog post, that wasn't referenced by Dan for some reason, said it was exploitable:

“Vulnerability details for CVE-2010-3972 are public. However, it will be difficult to build a reliable exploit for code execution. We have heard rumors [sic] of an exploit technique that will be discussed publicly in April by Chris Valasek and Ryan Smith.”